Security: Risk - Paiet/Tech-Journal-for-Everything GitHub Wiki

• What is Risk?

  • Chance of Loss we take in the course of doing business!
    • e.g. as a new business -- we need you to like it.
  • At a technical level, risk are the chance we take in using a product in our business.
    • e.g. choosing one OS over another, choosing one hardware over another.
  • Risk Types:
    • Natural
    • Man Made
    • System/Device

• Risk Analysis Phases

  1. Identify Your Assets and determine value
  2. Identify Vulnerability to the asset
  3. Threat Assessments (threat vectors)
  4. Probability (threat matrices)
  5. Impact Analysis
  6. Responses:

• What can we do about it? Risk Response

  • Acceptance:

  • Avoidance:

  • Deterrence:

  • Mitigation:

  • Transference:

  • We can implements controls:

  • Control Types (Acceptance and Mitigation)

    • Technical: Configuration and Implementation
      • False Positives and False Negatives
    • Managerial: Policies and Decisions
    • Operational: Responsibility Assignment

  • We can implement

  • Common Policies for Reducing Risks (Deterrence and Mitigation)

    • Privacy Policies
    • Acceptable Use Policies
    • Security Policies
    • Mandatory Vacation
    • Job Rotation
    • Separation of Duties
    • Principle of Least Privilege

  • Security Policy Templates:

    • http://www.sans.org/security-resources/policies/
    • http://www.nchica.org/hipaaresources/Security/GeneralPolicy.doc (Generic)

• Risk Management

  • Risk Calculation (Business /Device)
    • Likelihood (slide)
    • ALE: Annualized Loss Expectancy
    • Impact: Level of Consequences
    • SLE: Single Loss Expectancy
    • ARO: Annualized Rate of Occurrence
    • MTTR: Mean Time to Recovery
    • MTTF: Mean Time to Failure
    • MTBF: Mean Time Between Failure

Quantitative vs Qualitative:

+-------------------+-------------------+
|	Quantitative	|	Qualitative		|
+-------------------+-------------------+
|	   Numbers		|	  Scenarios		|
+-------------------+-------------------+
|	  Equations		|	Brainstorming	|
|	SLE = EF * AV	|   Storyboarding	|
|	ARO = per year 	|  Value Judgment	|
|	AV * ARO = ALE	|	  Surveys		|
|	EF = % of loss	|	  Interviews	|
|					|	  Meetings		|
+-------------------+-------------------+

• Risk Associated with Cloud Computing and Virtualization

  • Transfer Data Security
  • Tenant Hosting -Separate Data
  • Data Disposal - How do you get rid of data?
  • Data Availability - disruption, loss, protections
  • Malicious Insiders

• Vulnerabilities--Slide

• Threat Vectors--Slide

• Business Failure / Device Failure (RTO/RPO)

• Probability / Threat likelihood - slide